NATIONAL BANK OF MALAWI

BUSINESS CONTINUITY PLAN (BCP) TRAINING

Risk Division

PRESENTATION OUTLINE• Introduction• Objectives of BCP• Business Continuity Management

Capabilities• BCP Minimum Standards• Critical Business Functions and

Business Impact Analysis• Recovery Strategies• BCP Testing

INTRODUCTION• Business Continuity-Ability of the Bank to

ensure continuity of service & support for its customers before, after & during a disastrous event

• Business Continuity Management Policies, Standards & Procedures that are put in place to ensure specified services & operations are maintained or recovered in a timely manner in case of disruption. Includes DRP + BCP. BCM Policy , Physical Security Policy, Fire Management Procedures & Business Continuity Plan

INTRODUCTION CONTINUED

• Business Continuity Plan-An action plan that outlines all procedures, processes, systems & key personnel that are necessary to resume/restore operations of the Bank in the event of a disruption

OBJECTIVES OF BCP• To set out roles & responsibilities in an effort to

minimize the effect of a disaster on the Bank due to inadequate preparation

• To provide seamless (non-stop) services to customers

• To effectively protect life and safety all personnel• To minimize number of decisions made in an

emergency situation

OBJECTIVES OF BCP CONTINUED• Minimize potential financial loss, legal liability &

brand damage• Decrease dependence on specific person/groups

during response, resumption & recovery phases• Minimize impact of serious interruptions to

business• Recover business in a planned & controlled

manner

BUSINESS CONTINUITY MANAGEMENT CAPABILITIES

1. Emergency Management2. Crisis Management3. Major Incident Handling

RECOVERY

1. Business Recovery2. IT Continuity/Disaster Recovery

EMERGENCY MANAGEMENT• Ability of the Bank to respond to a physical event

at a given site (BU/Service Centres)• The key focus is to prevent loss of life, minimize injuries &

damage to property• Procedures & Emergency Management Centre (EMC)

must be established, maintained & operational at Bank, Division & Service Centre levels

• Emergency Management Teams (EMTs), at Bank & Divisional/Service Centre Level-take control of decision-making processes & action management during a disaster

CRISIS MANAGEMENT• Involves Identification of Crisis Event, decision-

making & coordination for the implementation of business continuity response (e.g. mass resignations of senior management, civil unrest, riots, strikes, terrorist attacks and war)

• The Senior Management Team/Crisis Management Team of the Bank manages response to the event

• A crisis management framework must have the following:

CRISIS MANAGEMENT CONTINUED

• Crisis handling processes• Escalation procedure to move incidents between

processes• A crisis leadership team to set crisis response

strategy & coordinate activities• Crisis response teams to respond• Designate crisis meeting rooms

MAJOR INCIDENT HANDLING• Ability of the Bank to identify major

disruptions to services & escalate to management (e.g. loss of access to business premises & system downtimes)

• Fit for purpose major incident handling arrangements must have the following:

• Defined list of severity levels, incidents classified appropriately as part of process

• Level of Disruption(LoD) assessed through the level of disruption matrix on the next slide:

MAJOR INCIDENT HANDLING CONTINUEDLoD Description

1 Affect isolated areas of the business operations such as a service centre, division, and the situation is well contained within the area. Probability of exceeding MTD/RTO is Low.

2 Affect a number of Service Centres or Divisions.Probability of exceeding MTD/RTO is Moderate.

3 Affect head office business premises or the production data centre (single service centre)Probability of exceeding MTD/RTO is High.

4 Affect region or district where the Bank/Service Centre operates. May cause systemic impact.Probability of exceeding MTD/RTO is Very High.

5 Affect nationwide or regionalProbability of exceeding MTD/RTO is Extremely High.

MAJOR INCIDENT HANDLING CONTINUED

• This shall facilitate appropriate remedial actions + essential services rendered under various scenarios

• The Bank/Service Centre identify minimum essential services + recovery strategies for all critical business functions under LOD above

MAJOR INCIDENT HANDLING CONTINUEDLevel of Disruption (LoD) MatrixInstitution: National Bank of Malawi/BU/Service CentreCritical Business Function : <Name of Critical Business Function>Date: _______________LoD Minimum Essential Services Provided Business Continuity Strategy MTD

(Hour)RTO

(Hour)

1               

2               

3               

4               

5               

MAJOR INCIDENT HANDLING CONTINUED

• The Bank/Business Unit/Service Centre should then carry out a post-incident review analysis of major incident(s) that have occurred

BUSINESS RECOVERY

• The Ability of line management to recover critical operations within business units following a major disruption

• The focus should be on the ability to relocate to alternative systems and locations for key businesses within stipulated recovery time objectives and maximum tolerable downtimes

IT CONTINUITY/DISASTER RECOVERY• Ability of the Bank to recover systems & IT

infrastructure to support business recovery process

• Focus is on restoration of all key IT services• Recovery Time Objective (RTO)-Time frame

required for IT systems & applications to be recovered & operationally ready to support business functions after an outage

• Maximum Tolerable Downtime (MTD)-Timeframe during which a recovery must become effective before an outage compromises the ability of the Bank to achieve its business objectives and survival.

BCP MINIMUM STANDARDS

• “Fit for Purpose” business continuity arrangements are those that do the following:

• Determine & validate business’ tolerance for business continuity risk(s) by carrying out a Threat & Risk Assessment

• Determine recovery objectives for each unit• Define response and recovery plans• Include processes to initiate business resumption

BCP MINIMUM STANDARDS CONTINUED

• Ensure employees know roles & responsibilities in respect to Business continuity

• BCPs reviewed & updated following changes to operations/risk profile

• Provide capabilities to reduce impact of & enhance recovery from short, medium & long term disruptions

FIT FOR PURPOSE MINIMUM STANDARDSThe following minimum standards must be adhered to• Education and awareness• Risk Assessment & Business Impact Analysis• Plan development, documentation & maintenance• Governance• Recovery Strategies• Plan Testing & Demonstrated Recovery (Testing &

Exercising)

EDUCATION AND AWARENESS

Ensure all management & staff (including third parties) understand roles & responsibilities

Provide crisis management trainingNew hire induction

RISK ASSESSMENT• Risk Assessment based on potential loss,

inaccessibility or unavailability of:• Key personnel, decision-makers & recovery

personnel• Office premises (service centres) • Critical business information & records• IT systems & infrastructure, network devices,

peripherals & support systems

BUSINESS IMPACT ANALYSIS (BIA)BIA-Business adequately assessed & identified risk interruption by: • Identifying critical staff, systems, facilities &

procedures, • Impact of not recovering them, their

dependencies & requirements for recovering them

BIA CONTINUED

Must include:• Key stakeholder details• Defined ownership• Management acceptance and approval• Review the adequacy of Risk Assessment at

annual intervals

RECOVERY STRATEGIES-BU PROCESSES

Recovery strategies must ensure: • All BU processes & staff are available to support

critical operations in the event of short, medium & long term:• data centre loss, • work area loss + • people unavailability

RECOVERY STRATEGIES-BU PROCESSESA recovery programme must contain processes to ensure:• Adequacy of IT resources• Adequacy of work area recovery locations• Adequacy of all non-IT resources• Adequacy of incident management facilities• Details of alternative working methods• Recovery strategies must be reviewed annually

RECOVERY STRATEGIES-ITRecovery strategies should ensure that all supporting systems, applications & facilities available to support critical operations by:• Including invocation procedures with roles &

responsibilities• System, network, telephony, data centre• Recovery strategy & objectives• Recovery plans & testing strategies• Must be reviewed annually

PLAN DEVELOPMENT, DOCUMENTATION AND MAINTENANCE On a quarterly basis• Review and update all contact details On an annual basis• Review and update the BIA• Review and update the BCP• Review and update dependencies e.g. internal & external, IT, etc• Other• Should do a post-mortem of lessons learnt completed for

invocation of the resumption plan within 30 days of incident/crisis response

Testing Levels High Criticality Medium Criticality

Low Criticality

Level 1 Checklist Test Mandatory Mandatory MandatoryLevel 2 Walkthrough

TestMandatory Mandatory Mandatory

Level 3 Component Test Mandatory Mandatory OptionalLevel 4 Simulation Test

on Production ITMandatory Optional Optional

Level 5 Planned DR Simulation

Mandatory Optional Optional

Level 6 Unplanned Full Simulation

Optional Optional Optional

PLAN TESTING AND DEMONSTRATED RECOVERYPLAN TESTING AND DEMONSTRATED RECOVERY CONSISTS OF LEVELS IN THE TABLE BELOW:

The END